vulnerability
Amazon Linux AMI 2: CVE-2022-49726: Security patch for kernel (Multiple Advisories)
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 5 | (AV:L/AC:L/Au:S/C:N/I:N/A:C) | Feb 26, 2025 | May 22, 2025 | May 20, 2026 |
Description
In the Linux kernel, the following vulnerability has been resolved:
clocksource: hyper-v: unexport __init-annotated hv_init_clocksource()
EXPORT_SYMBOL and __init is a bad combination because the .init.text
section is freed up after the initialization. Hence, modules cannot
use symbols annotated __init. The access to a freed symbol may end up
with kernel panic.
modpost used to detect it, but it has been broken for a decade.
Recently, I fixed modpost so it started to warn it again, then this
showed up in linux-next builds.
There are two ways to fix it:
- Remove __init
- Remove EXPORT_SYMBOL
I chose the latter for this case because the only in-tree call-site,
arch/x86/kernel/cpu/mshyperv.c is never compiled as modular.
(CONFIG_HYPERVISOR_GUEST is boolean)
Solutions
References
- AMAZON-AL2/ALAS2KERNEL-5.10-2022-015
- AMAZON-AL2/ALAS2KERNEL-5.15-2022-002
- AMAZON-AL2/ALAS2KERNEL-5.4-2022-028
- AMAZON-AL2/ALASKERNEL-5.10-2022-015
- AMAZON-AL2/ALASKERNEL-5.15-2022-002
- AMAZON-AL2/ALASKERNEL-5.4-2022-028
- CVE-2022-49726
- https://attackerkb.com/topics/CVE-2022-49726
- CWE-908
- EUVD-EUVD-2022-54509
- https://euvd.enisa.europa.eu/vulnerability/EUVD-2022-54509
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.